public async Task TestFullFlow()
{
var sa = "sa:namespace";
var data = "data";
var encrypted = await mAwsKeyManagement.Encrypt(data, sa);
var decrypted = await mAwsKeyManagement.Decrypt(encrypted, sa);
Assert.Equal(data, decrypted);
}
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
if (data.Length <= mMaximumDataLength)
{
return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
}
mLogger.Information($"Encryption data too length, using envelope encryption");
var encryptedData = await mDataKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing);
var encryptedKey = await mMasterKeyManagement.Encrypt(mDataKeyManagement.GetEncryptionKey(), serviceAccountId, createKeyIfMissing);
return("env" + "$" + encryptedKey + "$" + encryptedData);
}
public async Task <string> Encrypt(string data, string serviceAccountId, bool createKeyIfMissing = true)
{
if (data.Length <= mMaximumDataLength)
{
return(await mMasterKeyManagement.Encrypt(data, serviceAccountId, createKeyIfMissing));
}
mLogger.Information("Encryption data too length, using envelope encryption");
var dataKey = RijndaelUtils.GenerateKey(256);
var(encryptedData, iv) = RijndaelUtils.Encrypt(dataKey, Encoding.UTF8.GetBytes(data));
var encryptedDataKey = await mMasterKeyManagement.Encrypt(Convert.ToBase64String(dataKey), serviceAccountId, createKeyIfMissing);
return(EnvelopeEncryptionUtils.Wrap(encryptedDataKey, iv, encryptedData));
}
public async Task <ActionResult> Encrypt([FromBody] EncryptRequest body)
{
if (!ModelState.IsValid)
{
mAuditLogger.Warning("Bad request to Encrypt API: {sourceIP} {validationState}",
Request.HttpContext.Connection.RemoteIpAddress,
ModelState.ValidationState);
return(BadRequest("One or more of the required fields doesn't present in the request body."));
}
mAuditLogger.Information("Encryption request started, SourceIP: {sourceIp}, ServiceAccount: {sa}, Namespace: {namespace}",
Request.HttpContext.Connection.RemoteIpAddress,
body.ServiceAccountName,
body.NamespaceName);
var encryptedData = await mKeyManagement.Encrypt(body.Data, body.ServiceAccountName);
if (body.ServiceAccountName == "default")
{
return(BadRequest("You cannot encrypt a secret for the default service account"));
}
mAuditLogger.Information("Encryption request succeeded, SourceIP: {sourceIp}, ServiceAccount: {serviceAccount}, Namesacpe: {namespace}",
Request.HttpContext.Connection.RemoteIpAddress,
body.ServiceAccountName,
body.NamespaceName);
return(Content(encryptedData));
}
public async Task Encrypt_KeyDoesNotExist_CreateIt()
{
var data = "test";
var serviceAccountId = "default:" + Guid.NewGuid();
await mAzureKeyManagement.Encrypt(data, serviceAccountId);
var keyId = $"https://{mKeyVaultName}.vault.azure.net/keys/{ComputeKeyId(serviceAccountId)}";
try
{
await mKeyVaultClient.GetKeyAsync(keyId);
}
catch (KeyVaultErrorException e) when(e.Response.StatusCode == HttpStatusCode.NotFound)
{
throw new Exception("New key was not created in the key vault");
}
finally // clean up
{
await mKeyVaultClient.DeleteKeyAsync($"https://{mKeyVaultName}.vault.azure.net", ComputeKeyId(serviceAccountId));
}
}
public async Task <ActionResult> Encrypt([FromBody] EncryptRequest body)
{
mAuditLogger.Information("Encryption request started, SourceIP: {sourceIp}, ServiceAccount: {sa}, Namespace: {namespace}",
Request.HttpContext.Connection.RemoteIpAddress,
body.SerivceAccountName,
body.NamesapceName);
var encryptedData = await mKeyManagement.Encrypt(body.Data, $"{body.NamesapceName}:{body.SerivceAccountName}");
if (body.SerivceAccountName == "default")
{
return(BadRequest("You cannot encrypt a secret for the default service account"));
}
mAuditLogger.Information("Encryption request succeeded, SourceIP: {sourceIp}, ServiceAccount: {serviceAccount}, Namesacpe: {namespace}",
Request.HttpContext.Connection.RemoteIpAddress,
body.SerivceAccountName,
body.NamesapceName);
return(Content(encryptedData));
}
public async Task DataIsLessThenMaximumConfiguration_NoEnvelope()
{
var encryptedData = await mDecorator.Encrypt("123", "a-service-account");
Assert.DoesNotContain(encryptedData, "env$");
}